Method and System for Enforcing Intrusion Detection Signatures Curated for Workloads Based on Contextual Attributes in an Sddc

2. The method of claim 1, wherein the filtered set of intrusion detection signatures are received from a set of servers that perform a filtering operation to identify intrusion detection signatures applicable to workloads performed by machines executing on host computers in the datacenter, wherein identifying a matching intrusion detection signature causes an alert to be sent to the set of servers, the alert identifying a potential intrusion event based on the matching intrusion detection signature.

3. The method of claim 2, wherein the set of servers perform a particular action in response to the alert.

4. The method of claim 3, wherein the particular action comprises providing the alert in a report to a user.

5. The method of claim 2, wherein only a first subset of the received filtered set of intrusion detection signatures comprise intrusion detection signatures identified during the filtering operation performed by the set of servers, wherein a second subset of the received filtered set of intrusion detection signatures comprise intrusion detection signatures selected by a user and specified for workloads performed by the plurality of machines executing on the at least one host computer, wherein the workloads are identified based on a plurality of attributes associated with a set of data messages processed by the plurality of machines on the at least one host computer.

6. The method of claim 1, wherein comparing the generated intrusion detection signature with the received set of intrusion detection signatures comprises mapping bits in the bit pattern of the generated intrusion detection signature to one or more bits in a bit pattern of each intrusion detection signature in the filtered set of intrusion detection signatures.

7. The method of claim 6, wherein each workload that processed the particular data message is a bit or a plurality of bits in the generated intrusion detection signature's bit pattern.

8. The method of claim 6, wherein an active directory group of a source machine associated with the particular data message is a bit or a plurality of bits in the generated intrusion detection signature's bit pattern.

9. The method of claim 1, wherein the identified set of intrusion detection signatures comprise signatures for detecting (i) anomalous user behavior and (ii) anomalous data message traffic behavior.

10. The method of claim 1, wherein the method is performed by an intrusion detection system that operates on the at least one host computer and that is configured to use the filtered set of intrusion detection signatures to detect potential intrusion events on the at least one host computer.